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We give an example of a wide class of problems for which quantum information protocols based 
on multi-system entanglement can be mapped into much simpler ones involving one system. Secret 
sharing is a cryptographic primitive which plays a central role in various secure multiparty computa¬ 
tion tasks and management of keys in cryptography. In secret sharing protocols, a classical message 
is divided into shares given to recipient parties in such a way that some number of parties need to 
collaborate in order to reconstruct the message. Quantum protocols for the task commonly rely on 
multi-partite GHZ entanglement. We present a multiparty secret sharing protocol which requires 
only sequential communication of a single quantum d-level system (for any prime d). It has huge 
advantages in scalabilility and can be realized with the state of the art technology. 

PACS numbers: 03.67.Hk, 03.67.-a, 03.67.Dd 


I. INTRODUCTION 

Splitting a message into N shares so that the origi¬ 
nal message can be reconstructed if and only if at least 
k < N ot the shares are known is called a (TV, k) secret 
sharing threshold scheme (the threshold is k). Secret 
sharing constitutes an important cryptographic primitive 
in protocols for secure multiparty computation includ¬ 
ing password-authenticated key agreement, hardware se¬ 
curity modules, private querying of databases, and es¬ 
tablishment of access codes with restricted access. The 
first secret sharing schemes were presented independently 
by Shamir and Blakley by means of classical algorithms 
to split the messare and classical communication to dis¬ 
tribute the shares [l|, Q • 

In Shamir’s {N, k) secret sharing threshold scheme, the 
distributor chooses a set of k positive integers, known 
only to him/her, a^, ...,ak-i € {!,...,P}, where P is 
some large prime. The first integer qq is the secret. The 
k’th order polynomial p{x) = oq + aix -|-... -I- ak-ix’^~^, 
is used for coding the data. For I = 1,..., iV the distribu¬ 
tor computes p(l) and communicates the value only the 
Z’th party. If at least k of the recipients collaborate, they 
can easily recover the secret oq, whereas knowing fewer 
than k shares yields no information on qq. However, like 
many schemes in classical cryptography, Shamir’s scheme 
is vulnerable to intercept-resend attacks on the commu¬ 
nications of the distributor. 

The security for cryptographic tasks can be enforced by 
introducing quantum resources Si- Quantum methods 
for (classical) secret sharing by three parties in a form 
of cryptographic protocol based on three particle GHZ 
entanglement Q were given in In an independent 
later development, secret sharing protocols for three or 
four parties were proposed in Ref. Q- Secret sharing 
for arbitrary many parties exploiting multipartite qubit 
entanglement can be found in Ref. [ 3 , wherein security 
issues were shown to be linked to Bell inequalities. A 
general secret sharing scheme using multipartite d-level 


entanglement is given in Q. Also, general {N,k) quan¬ 
tum secret sharing threshold schemes have been analyzed 
in Ref. [l^ . 

There are several experimental demonstrations of se¬ 
cret sharing schemes with quantum resources. Three and 
four partite secret sharing using entanglement were re¬ 
ported in Refs. [H, [l^- However, entanglement-based 
protocols are not scalable. The difficulty of obtaining the 
required quantum correlations grows with the number of 
parties involved. 

Fortunately, a more scalable secret sharing (of classical 
data) can be achieved using only sequential communica¬ 
tion of a single qubit, see Ref. [l^. The work reports a 
successful proof-of-principle experimental demonstration 
of six party secret sharing of such a kind. Nevertheless, 
the security of proposed secret sharing schemes is not 
as robust as the security of Quantum Key Distribution 
(QKD). This is discussed in Ref. [H, [ig for both the 
entanglement-based scheme of n and the single qubit 
scheme of [l^ . 

In this letter, we present a {N,N) secret sharing 
threshold scheme using a single d-level quantum system, 
for odd prime dimension d. We investigate eavesdrop¬ 
ping attacks and security issues. Finally, we discuss the 
scalability and efficiency of our protocol in comparison 
to other schemes involving qudit systems. Our principal 
aim is to show that you can map GHZ state protocols 
extended to d-level systems into protocols involving se¬ 
quential transfer of a single qudit (as this is a significant 
simplification of such schemes). We restrict d to odd 
primes because our protocol uses a cyclic property of a 
set of Mutually Unbiased (orthonormal) Bases (MUBs). 
Many MUBs are still unknown [i3- Complete sets are 
only known for dimensions which are powers of prime 
numbers [l^. For this restricted set of dimensions, the 
algebraic property on which our scheme relies was found 
only for odd prime dimensions. 

The relation of our single qudit scheme with respect 
to GHZ state qudit secret sharing can be thought to be 
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similar to that of the BB84 QKD-protocol Q and the E91 
QKD-protocol based on entanglement. However, due 
to the in principle arbitrary number of parties involved, 
significant advantages of the single qudit scheme emerge 
with the growing number parties. 


II. SECRET SHARING USING GHZ STATE 
CORRELATIONS 

Let us first describe a secret sharing protocol using 
multipartite d-level entanglement, for which d is an odd 
prime. This particular protocol is outlined in Q. 

The protocol is designed for TV + 1 party secret shar¬ 
ing and requires an iV -|- 1 partite d-level GHZ state: 
\GHZ^+^) = The party 1 (i?i) act¬ 

ing as the distributor prepares the GHZ state, keeps one 
particle, and distributes the remaining N particles to the 
N recipient parties. In the given run, each of the -|- 1 
parties independently chooses one of d possible bases in 
which the local particle is measured. 

For security purposes, all parties choose their measure¬ 
ment bases from a set of d MUBs. The unit vectors be¬ 
longing to the full set of d -I-1 MUBs will be denoted as 
|ep^) where j = 0,..., d labels the basis and I = 0,..., d— 1 
enumerates the vectors of the given basis. One has for 
j 7 ^ f- 




1 

d' 


( 1 ) 


Apart from the computational basis, for which we give 
the index j = d, and denote its states by \k), the remain¬ 
ing d MUBs are given by 



1 

\/d 
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where oj = It can be easily shown that ([J) satisfies 

© for all prime dimensions [^. We will denote by M 
the set of all vectors belonging to the MUB defined by 
and its elements by Mjj , with the meaning of the 
indices as above. 

In each run of the experiment party n (denoted by i?„) 
chooses randomly a measurement basis The local 
measurement in the basis projects his/her particle onto 
one of vectors Mij^. This is governed by the probability 
distribution 
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Perfect GHZ correlations are possible if 

N + l 

^ = 0 mod d. (3) 

n=l 


In such a case, only results satisfying = 0 

mod d occur, and all sets satisfying this relation are 
equally probable. However, if condition © does not 
hold, then the probability distribution of the results is 
uniform. This is easy to see once one realizes that © 
and © implies that | X]fc=o^ J 0 
any 1. 

Once the measurements are performed, the parties an¬ 
nounce their choices of The distributor checks con¬ 
dition ©• Only if it is satisfied, the round is treated 
as valid and is used for secret sharing. The local results 
satisfy = 0 mod d, whereas a sum with one or 

more In missing has an arbitrary value (mod d). Thus 
even A — 1 collaborating parties cannot learn the values 
obtained by the other two. But A parties can establish 
the value of the remaining party. As the choices of jn are 
random, the protocol succeeds in 1/d of the cases. 


HI. SECRET SHARING WITH A SINGLE 
QUDIT 

Our protocol relies on a cyclic property of the set of 
MUBs: there exist unitary transformations Uiiji, such 
that for any l',j' £ {0,...,d— 1}, any vector Mij can 
be mapped into Mi+i/j+ji. That is, elements of M are 
mapped into elements of M. 

Note that, for any vector Mij can be transformed into 
Mi^ij by applying the transformation 

d-l 

Ad = ^a;"|n)(n| (4) 

n—0 

Simply, using o and one gets 

Also, any Mij can be transformed into Mij+i by 


Yd = '^uj^^\n){n\. ( 6 ) 

n—0 

This can be shown in a similar way. Thus, by applying 
the operator Ui'j' = A^ Fj' , any Mij is mapped into 

The protocol runs as follows. 

(i) The distributor i?i, who by the nature of the task 
is always assumed to be an honest party, prepares the 
state |eQ°^) = \ j) ^ Tf, which will be denoted 

by IV'o)- 

{a) Ri picks two random numbers xi,yi £ {0, ...,d — 
1 }, and performs on [t/q) the transformation . 

This gives £ M. The state is sent to party i? 2 . 

(in) For n = 2 ,..., A -|- 1, the party generates two 
independent random numbers Xn, Un £ {0,..., d— 1}, and 
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applies to the qudit received from Rn-i- 

Rn’s action gives a state |'0^) which is sent to subsequent 
party Rn+i, except in case of Rn+i who sends the qudit 
back to the distributor, Ri. 

{iv) Ri randomly chooses J G {0, 1} and mea¬ 
sures the qudit in the basis The outcome is 

labeled a G {0 ,d — 1}. 

{v) In random order only parties R 2 , ■■■,Rn+i an¬ 
nounce their choice of ?/„. The distributor announces 
only whether the round is valid or not. It is valid pro¬ 
vided: 


Af-l-l 

'^yn = J mod d. (7) 

n—1 

Otherwise the round is rejected. If the round is valid, the 
private data of the parties, {xn}, satisfy globally 

N + l 

Xn = a mod d. (8) 

n—1 

The data exhibit perfect correlations and thus can be 
used for secret sharing, as was the case for GHZ based 
protocols, provided i?i resets his/her xi to = xi — 

a. Again, the probability of a valid round is 1/d. 

{vi) In order to check the security, for a randomly cho¬ 
sen (by the distributor) subset of the rounds, all parties 
i? 2 ,..., Rn +1 announce their values of their private data 
Xn (in the same sequence as was the announcement of 
yns). The distributor checks dH). If i?i registers a sub¬ 
stantial fraction check runs for which ([5]) does not hold, 
Ri declares the whole secret sharing attempt as corrupt 
(more details on security checks later). 

{vii) If the secret sharing attempt is not corrupt, par¬ 
ties R 2 , ■■■, Rn+ 1 , after exchanging all their data x„ for 
a valid run, not used in the security check, can learn the 
otherwise secret value for the given run, earlier 

known only to the distributor i?i. 

The protocol works because after all the transforma¬ 
tions the final state reads 



/N+l 




(9) 


Ri’s measurement of (|9]) yields an outcome with unit 
probability, provided {fp final) eigenstate of the mea¬ 

sured observable. This happens if and only if ([7]) is sat¬ 
isfied. Otherwise, lipfinai) i® some element Mii^i with 
j' ^ J and thus by (P) the probability of any outcome is 
I/d. 

For a valid run the correlations are effectively equiva¬ 
lent to the ones for the GHZ based protocol: the choice 
of yn corresponds to i?n’s choice of measurement basis, 
while Xn is analogous to the local outcome. 


IV. SECURITY DISCUSSION 

Protocols for secret sharing have to guarantee security. 
Consider an example of an attack by an external eaves¬ 
dropper. If the eavesdropper, Eve, attempts an intercept- 
resend attack and intercepts the qudit, in the state 
on the way form Rk to Rk+i, she can choose one of d rele¬ 
vant bases to measure. With probability 1/d she chooses 
a basis j' = j and the attack succeeds, but with probabil¬ 
ity she has j ^ j’ in which case the state she sends to 
Rk+i will be altered. The eavesdropping, to some extent 
depending on d, causes inconsistencies between the pri¬ 
vate data and condition ®, and is therefore detectable 
in step {vi) of the protocol. 

For more general eavesdropping attacks, in the qudit 
transfer from Rk and Rk+i, we can regard the parties 
Ri,...,Rk as a ’block’ effectively representing a single 
party, and parties Rk+i, ■■■, Rn+i and i?i, acting as the 
measuring party, we can treat similarly. Thus, the attack 
is reducible to the scenario encountered in the BB84 two- 
party QKD (see e.g. M) in which the sender and the 
receiver, both effectively our i?i, do not announce their 
bases, but only validity of a run. Generally, this makes 
security effectively perfect, even if Eve tries this strategy 
at more than one qudit transfer link. 

An alternative trick which can be used by Eve is to 
send via the unitary gate of partner Rk one more qudit 
or even a multi qudit pulse, say separated in time, so 
that it can be somehow intercepted by her beyond the 
gate, without intercepting the protocol qudit. After yk 
is announced she can learn the actual unitary transfor¬ 
mation and thus x„. However, this is easily detectable, 
if Rk makes the number of particles measurement at the 
exit of his/her gate (in some randomly chosen runs). 

Yet another possibility is for Eve to intercept the qu¬ 
dit sent by i?i, and send a qudit of her own to R 2 in its 
stead. Eve collects her qudit once it is sent by Rn+i, 
and waits for the announcement of ynS. The intercepted 
qudit of i?i can be somehow manipulated by her, how¬ 
ever it must reach the measurement station of Ri at the 
right time. After y„’s are announced she can measure 
her qudit and recover the value X 2 -I- ... -I- xn+i mod d. 
However, the attack will be detected in step (vi) of the 
protocol since i?i performs the measurement before the 
yn’s are announced. There is no way for Eve to perform a 
yn’s dependent manipulation on a qudit which is already 
measured by Ri. 


A. Discussing security against conspiracies 

In secret sharing one faces the possibility of conspiring 
cheating subsets of parties. In the worst case, only the 
distributor Ri and one more party are honest, leaving 
N—1 conspiring parties. Gonspiracies significantly com¬ 
plicates the security analysis of secret sharing schemes 
and much is therefore unknown about security of var¬ 
ious schemes. Here, we will discuss the robustness of 
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our scheme against some particular conspiracies. How¬ 
ever, rigorous security proof for general conspiracies is 
unknown. 

In, e.g.. Refs eavesdropping attacks using quan¬ 

tum memories and entangling of systems with an ancilla 
were shown to lead to security problems in the protocol 
of Ref. H- However, the attacks of [1^ require that ei¬ 
ther the first or the final party are cheating, which never 
happens in our protocol as i?i is effectively both first an 
last party. Additionally, the eavesdropping attacks of [1^ 
require knowledge of also t/i and J, which is impossible 
since Ri never announces any data. 

More generally, the cheaters could use some attack 
based on entangling the qudit with an ancilla, or pos¬ 
sibly storing the protocol qudit in a quantum memory 
and creating a new entangled state, of which a subsystem 
is communicated further along the protocol loop. Still, 
they ought not to be able to profit. The reason is the 
absence of data announcement from Ri renders the qu¬ 
dit available for the cheaters effectively in a mixed state, 
for which there is no observable which would give an out¬ 
come with unit probability. Furthermore, if the cheaters 
combine their attack with eavesdropping, on the actions 
of the honest parties, they will be detected in step {vi) of 
the protocol on basis of the arguments from the previous 
section. 


V. COMPARING SECRET SHARING SGHEMES 

There exists a number of quantum protocols for secret 
sharing. The protocols for three and four-partite secret 
sharing proposed in Q and its generalization to high-level 
multipartite configurations Q requires the preparation of 
a high-fidelity GHZ state with N 1 subsystems. With 
growing N this becomes an increasingly difficult task. 
The experimental requirements make these schemes un¬ 
scalable. Furthermore, another problem arises if we also 
consider inefficient detection. Let rj G [0,1] be the detec¬ 
tor efficiency. Given that the condition ([3]) is satisfied for 
a particular round, it is required that all parties succeed 
with their measurements otherwise the round has to be 
rejected. The probability that all iV -|- 1 detection sta¬ 
tions give a successful detection is 77 ^+^. Furthermore, 
note that in GHZ state protocols d{N 1) detectors are 
required. As each detection station introduces possible 
registration errors, the overall error would accumulate. 
However, such GHZ state protocols can enable security 
against device manipulation which is an important secu¬ 
rity feature when the experimenter does not fully control 
its own measuring device. 

Consider now secret sharing with QKD involving qu- 
dits, in which the distributor uses N pairwise indepen¬ 
dent QKD channels, each shared with one of the recip¬ 
ients. The protocol of such type which is directly com¬ 
parable to our scheme involves encoding in d different 
MUBs. For every round the distributor sends data Xn 
to party n such that suitable correlations are obtained 


to achieve secret sharing. However, using d-level QKD 
each recipient has a probability of 1 /d to choose the cor¬ 
rect basis. If the QKD scheme between the distributor 
and Rn is repeated m times, the probability that 
chooses the correct basis at least once isl— (l — . 

For successful secret sharing through QKD, the distribu¬ 
tor has to repeat the scheme independently with each 
party until all of them report a correct choice of ba¬ 
sis at least once. The probability, psuccess that for all 
n = 2 ,...,A-|- 1 , Rn has at least one correct choice is 

P success = • Solving for the number of 


rounds, to, we find to = 


\n[l-l/d) 


. As an example. 


we can choose N = 10, and pick d large, say d = 23, so 
that Psuccess leads to a good estimate of the number of 
rounds required to distribute exactly one number to each 
recipient. We require that the probability of success is 
somewhat high, say Psuccess = 0.8. Then the approxi¬ 
mate number of rounds required is about to = 86 . For 
distributing a secret of realistic size in many shares and to 
guaratee its security, one will typically need to distribute 
larger data sets. In this estimation we have not consid¬ 
ered the parties having inefficient detectors. Including 
this possibility decreases the protocol efficiency by an 
average factor of r]^. Therefore, such QKD-schemes re¬ 
quires much more rounds and detectors than our scheme. 
However, the security of QKD [2l| is more robust and 
well studied than that of secret sharing, which allows for 
higher security to the price of lower efficiency. 

The security can be further increased for such QKD 
schemes by performing the QKD in a device indepen¬ 
dent manner, i.e. with parties performing measurements 
on entangled state obtaining data that violates a Bell 
inequality. However, this also leads to an additional re¬ 
duction of efficiency due to the low key rates high experi¬ 
mental requirements associated with device independent 
schemes. 


In our protocol, for any N, only a single qudit is re¬ 
quired. This enhances experimental feasibility: there is 
no issue of scalability of the initial state preparation. As 
the protocol involves just one detector station scalability 
is further enhanced. In addition, from the point of view of 
interferometry, our scheme is in the domain of single par¬ 
ticle interference. It is well known that one can achieve 
very high interference visibilities in such cases whereas 
multiparticle interference effects for photons can accuire 
high visibilities only in the case of two qubits. Multipho¬ 
ton qudit experiments will experience alignment prob¬ 
lems, errors due to imperfections in the optical compo¬ 
nents and only partial distin guis hability of photons com- 
ming from different sources [23| . For security purposes, 
it is very important to keep the quantum error rates to 
a minimum. However, our scheme requires control over 
the devices and the security against collective attacks re¬ 
mains unknown. Finally, we do note that our scheme 
requires the same number of local unitary operations as 
is used in the corresponding GHZ state protocol 0, and 
is therefore subject to the same accumulation of noise 
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due to imperfections in the local unitary actions. 

VI. CONCLUSIONS 

We have presented a secret sharing protocol using only 
a communication of a single qudit. While the security 
proofs are incomplete against possible sophisticated at¬ 
tacks which we did not include in our analysis, the scheme 
is secure against standard attacks. The scheme provides 
big advantages in scalability over earlier schemes and 
thus make proof-of-concept experiments feasible. More¬ 


over, using our methods a wide class of quantum proto¬ 
cols using (multiparty) entanglement can be mapped into 
simple ones involving one qudit. 
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